[CentOS] SELinux and SETroubleshootd woes in CR

Tue Nov 1 20:24:56 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2011 04:16 PM, Trey Dockendorf wrote:
> I'm setting up a dedicated database server, and since this will be
> a central service to my various web servers I wanted it to be as
> secure as possible...so I am leaving SELinux enabled.  However I'm
> having trouble getting Apache to use mod_auth_pam.  I also now
> can't get setroubleshootd working to send me notifications of the
> denials and provide tips to solve the problem.
> 
> The Apache service has this directive on the default vhost, 
> ------------------- <Directory "/usr/share/phpMyAdmin"> 
> AuthPAM_Enabled on AllowOverride None AuthName "HTTP Auth" AuthType
> basic require valid-user </Directory>
> 
> When I attempt to authenticate I noticed this in /var/log/secure 
> -------------------- Nov  1 15:06:58 host httpd: PAM audit_open()
> failed: Permission denied
> 
> This is the entry from the audit log... ---------------- type=AVC
> msg=audit(1320178016.209:919): avc:  denied  { create } for 
> pid=22689 comm="unix_chkpwd"
> scontext=unconfined_u:system_r:httpd_t:s0 
> tcontext=unconfined_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket type=SYSCALL
> msg=audit(1320178016.209:919): arch=c000003e syscall=41 success=no
> exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102 
> pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
> sgid=48 fsgid=48 tty=(none) ses=107 comm="unix_chkpwd"
> exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:httpd_t:s0
> key=(null) type=AVC msg=audit(1320178018.386:920): avc:  denied  {
> create } for pid=20102 comm="httpd"
> scontext=unconfined_u:system_r:httpd_t:s0 
> tcontext=unconfined_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket type=SYSCALL
> msg=audit(1320178018.386:920): arch=c000003e syscall=41 success=no
> exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102 auid=500
> uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 
> tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd" 
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
> 
> 
> As for setroubleshoot, I have a duplicate install working just fine
> on another server, or at least it was working.  I'm worried
> updating to CR may have broken setroubleshootd.  Mainly I'd like to
> know how to troubleshoot that application.  Messagebus is running.
> 
> Running setroubleshootd yields these results... 
> ------------------- # setroubleshootd -f -V 2011-11-01 15:11:53,919
> [database.DEBUG] created new database: name=audit_listener,
> friendly_name=Audit Listener, 
> filepath=/var/lib/setroubleshoot/audit_listener_database.xml 
> 2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0
> compatible with current 3.0 version 2011-11-01 15:11:53,923
> [plugin.DEBUG] load_plugins() names=['httpd_bad_labels',
> 'allow_saslauthd_read_shadow', 'tftpd_write_content',
> 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind', 
> 'httpd_use_cifs', 'file', 'allow_execheap', 'nfs_export_all_rw', 
> 'allow_java_execstack', 'allow_httpd_sys_script_anon_write',
> 'samba_share', 'filesystem_associate', 'fcron_crond',
> 'inetd_bind_ports', 'named_write_master_zones', 'qemu_file_image',
> 'catchall', 'allow_mplayer_execstack', 'httpd_can_sendmail',
> 'httpd_enable_homedirs', 'wine', 'xen_image',
> 'secure_mode_policyload', 'allow_execmod', 'disable_ipv6',
> 'httpd_can_network_connect_db', 'sys_module', 'bind_ports', 
> 'samba_export_all_rw', 'use_samba_home_dirs', 'rsync_data', 
> 'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero', 'global_ssp', 
> 'allow_rsync_anon_write', 'cvs_data', 'allow_ftpd_anon_write',
> 'device', 'catchall_boolean', 'automount_exec_config', 'leaks',
> 'setenforce', 'ftpd_is_daemon', 'allow_zebra_write_config',
> 'firefox', 'nfs_export_all_ro', 'httpd_enable_cgi',
> 'httpd_tty_comm', 'public_content', 'ftp_home_dir',
> 'prelink_mislabled', 'allow_execstack', 'spamd_enable_home_dirs',
> 'sshd_root', 'samba_share_nfs', 'httpd_builtin_scripting',
> 'allow_ftpd_full_access', 'default', 'allow_ftpd_use_nfs',
> 'samba_enable_home_dirs', 'restorecon', 'selinuxpolicy',
> 'pppd_can_insmod', 'allow_daemons_dump_core', 
> 'httpd_write_content', 'allow_httpd_anon_write',
> 'secure_mode_insmod', 'kernel_modules', 'samba_export_all_ro',
> 'httpd_enable_ftp_server', 'allow_postfix_local_write_mail_spool',
> 'execute', 'privoxy_connect_any', 'use_nfs_home_dirs',
> 'allow_smbd_anon_write', 'sys_resource', 'allow_ftpd_use_cifs',
> 'connect_ports', 'swapfile', 'httpd_use_nfs', 
> 'httpd_can_network_relay', 'allow_cvs_read_shadow',
> 'squid_connect_any', 'mounton', 'qemu_blk_image',
> 'user_tcp_server', 'restore_source_context'] 2011-11-01
> 15:11:53,923 [plugin.INFO] importing 
> /usr/share/setroubleshoot/plugins/__init__ as plugins 2011-11-01
> 15:11:55,114 [avc.DEBUG] Number of Plugins = 90 2011-11-01
> 15:11:55,116 [communication.DEBUG] parse_socket_address_list: 
> input='{unix}/var/run/setroubleshoot/setroubleshoot_server' 
> 2011-11-01 15:11:55,117 [communication.DEBUG]
> parse_socket_address_list: 
> {unix}/var/run/setroubleshoot/setroubleshoot_server --> 
> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 
> 2011-11-01 15:11:55,118 [communication.DEBUG]
> new_listening_socket: 
> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 
> 2011-11-01 15:11:55,118 [server.INFO] creating system dbus: 
> bus_name=org.fedoraproject.Setroubleshootd 
> object_path=/org/fedoraproject/Setroubleshootd 
> interface=org.fedoraproject.SetroubleshootdIface 2011-11-01
> 15:11:55,119 [server.DEBUG] dbus __init__ 
> /org/fedoraproject/Setroubleshootd called 2011-11-01 15:12:05,119
> [server.DEBUG] received signal=14 2011-11-01 15:12:05,119
> [server.DEBUG] KeyboardInterrupt in RunFaultServer 2011-11-01
> 15:12:05,119 [database.DEBUG] writing database 
> (/var/lib/setroubleshoot/audit_listener_database.xml)
> modified_count=0 ------------------------
> 
> I've found this resource, 
> http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4621954,
>
> 
but have no idea how to make that change or where that modification would
> go.
> 
> Please let me know what other information would be useful.
> 
> Thanks - Trey _______________________________________________ 
> CentOS mailing list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos

Do you have the


allow_httpd_mod_auth_pam

boolean turned on?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU
NfUAoLz5TplWxxflLWscqc7Vc7RHahvj
=UYqX
-----END PGP SIGNATURE-----